Healthcare Cybersecurity Weekly Briefing 6-30-2017

Today, one of the largest drug makers in the U.S., Merck, reported being infected by the malware, as did the multinational law firm DLA Piper, which counts more than 20 offices in the U.S. Heritage Valley Health Systems, a health care network that runs two hospitals in Western Pennsylvania, also confirmed in a statement to Recode on Tuesday that it was a victim of the same ransomware attack that has spread around the globe.

Saxon and representatives of medical device manufacturers said the threat of a hacking attack on the 15 million devices in the U.S. that would kill the wearer were “highly unlikely” at present. But hacks could be used to gain access to health care networks and a trove of increasingly valuable data, Saxon said at a June 28 event hosted by the Bipartisan Policy Center. However, such devices will present a big target for ransomware and data exfiltration and potentially lead to physical dangers to patients, former CIA Deputy Director Michael Morell said.

The malware, named WORM_RETADUP.A, attempts to infiltrate not just the infected system but also shared folders located within the connected local network, the company warned in a blog post on Thursday. It is designed to steal login credentials and other browser-based information, as well as to collect keystrokes and system information. Moreover, the info stealer is wormable, Trend Micro reported, propagating itself by creating copies of itself, “including shortcut files, a non-malicious AutoIt executable, and a malicious AutoIt script into the affected system’s root directory, i.e., C:\WinddowsUpdated\<file copy>”.

Pennsylvania-based Heritage Valley Health System (HVHS) reported that it had experienced a cybersecurity incident on June 27, 2017. […] “The incident is widespread and is affecting the entire health system including satellite and community locations,” HVHS said in its online statement. “We have implemented downtime procedures and made operational adjustments to ensure safe patient care continues un-impeded.”

Citing recent data from HIMSS, Ehrenfeld explained that despite the “tsunami of cyber threats” against health IT systems, healthcare providers and organizations are woefully underfunding their defense efforts. “Only half of US healthcare organizations say they believe that they have adequate human or financial resources to either detect or manage a data breach,” Ehrenfeld said. “Only half. Healthcare providers, according to HIMSS, spend about 6 percent of their health IT budget on security.”

“For [health-related apps] and other digital technologies to take hold and reach their fullest potential, it is critical that FDA be forward-leaning in making sure that we have implemented the right policies and regulatory tools, and communicated them clearly, to encourage safe and effective innovation,” he explained. […] FDA will also undertake a new approach to regulation, Gottlieb wrote. The pilot program will help create “a more efficient, risk-based regulatory framework for overseeing” medical technologies, such as digital health tools.

He described it as a health-focused version of the National Cybersecurity and Communications Integration Center (NCCIC) at the DHS and said it would be operational this month. […] Johnson and McCaskill, who lead the Senate Homeland and Governmental Affairs Committee, wrote to HHS Secretary Tom Price on Wednesday asking for more information about the center, including documents demonstrating the need for it. “We are interested in learning more about the HCCIC’s purpose and how it will interact with the NCCIC, the rest of the federal government, and the private sector without duplicating efforts already underway by the Department of Homeland Security,” they wrote.

By virtue of possessing millions of medical records, the Department of Health and Human Services is a prime and frequent target for attempted cybersecurity intrusions. According to HHS CIO Beth Killoran’s estimation, the department faces “500 million cyber hack attempts each week” and cautioned that already staggering number is only going to swell in the future.

The Google “Removal Policies” page now lists “confidential, personal medical records of private people” as types of information it may remove from its search. […] Patient data becoming available through public search engines can create issues for both individuals and the healthcare provider that was in charge of keeping that data secure. In 2016, a class action lawsuit stemming from a 2012 incident with PHI made searchable via an internet search engine resulted in a $7.5 million settlement.

The US Court of Appeals for the Eleventh District listened to oral arguments last week in the case of LabMD, Inc. versus the Federal Trade Commission (FTC). The Court must determine if the FTC overstepped its authority with its data security enforcement standard. […] LabMD points out that what the FTC here found to be harm is ‘not even ‘intangible,’’ as a true data breach of personal information to the public might be, ‘but rather is purely conceptual’ because this harm is only speculative.”

Want more cybersecurity information?

We may also occasionally send you information about Critical Informatics products and solutions; you can unsubscribe at anytime if desired.Leave this field empty if you're human:

About Critical Informatics

We are world-class information security professionals providing Managed Detection and Response services to help you be secure, compliant, and resilient against threats to the life safety, life-sustaining, and quality-of-life systems and services you provide to clients, customers, constituents, and communities.